Recent WordPress Vulnerabilities, We’ve Got You Covered

The Internet Can Be A Scary Place

Here in the Triangle (Raleigh, Durham, Chapel Hill, NC) we rarely meet a person that doesn’t know of a business who has fallen prey to hacking. While the level of these security breaches can vary, basic takeover and defacement of websites is all too common. Just recently, we learned that over 1.5 million WordPress websites suffered defacement attacks in the span of just a few days. Here’s what happened, and how you can ensure this never happens to you.

Recent WordPress 4.7.2 Update

On Thursday, Jan 26th, WordPress released security update 4.7.2. Within this critical update were security fixes to address a new vulnerability that targeted the WordPress Representational State Transfer (REST) API. It is a stateless, client-server protocol that is mostly used over HTTP. In layman’s terms: REST is used in order for other applications, websites, and servers to easily and automatically retrieve data without actually needing to connect to a website through your browser. This allows information or data from a website to be communicated and passed through multiple websites while you browse the world wide web.

So a vulnerability in this protocol came to light, and WordPress secretly patched this exploit in the update. Unfortunately, many busy business owners and hobby bloggers do not update their WordPress websites the second an update is pushed (Tsk Tsk.) So this leads to an environment where millions of websites are unpatched, and thus vulnerable.

ALWAYS UPDATE YOUR WORDPRESS WEBSITE

All too often, we talk to clients and business owners who haven’t updated their WordPress versions in years. This hurts my soul. Does “If it ain’t broke, don’t fix it” ring a bell? This does not apply to the internet, nor should it apply to your website. Many times, businesses will have a buzzing WordPress site chock full of plugins, API connections, and social feeds. Unfortunately, when WordPress pushes an update, it can sometimes cause problems with many of these websites. This causes website owners, especially e-commerce sites, to be wary of downloading and implementing these updates when they pop up, and yes, they pop up more than we might like sometimes. That is because the internet is a dynamic entity with new threats every day. If you’re a WordPress site owner who neglects to install the update, you, and your business, instantly become an easy target, as hackers will know that you have not patched security flaws. While delaying the updates may seem like a viable short term solution, and given the 24/7 nature of business, we understand why, it is critical that you ALWAYS update your WordPress when available.

The “Hacking” Show

Once word got out that this major WordPress vulnerability existed, hackers began to take notice and go to work. What started as standard defacement and link pumping breeches, quickly turned into a worldwide issue. Over 20 major hacker groups used this opportunity as a competition to see how many sites each group could deface. During this “competition” over 800,000 attacks occurred in less than 48 hours, and that was ONLY recorded on sites that are monitored by WordFence Security Plugin for WordPress websites.

“This vulnerability has resulted in a kind of feeding frenzy where attackers are competing with each other to deface vulnerable WordPress websites,”said Mark Maunder, Wordfence Founder and CEO.“During the past 48 hours we have seen over 800,000 attacks exploiting this specific vulnerability across the WordPress sites we monitor.”

That a mind boggling stat, make no mistake. Our online environment delivers unmatched opportunity, but also comes with significant risks that need to be taken into account. Don’t let your website turn into a mechanism for hackers to exploit. Just look at the image below, provided by WordFence, which illustrates the groups involved in this massive attack.

Take Security Seriously

Security is too often an afterthought of online business practices, simply because past ages of business never had these vulnerabilities. Most business sites, even those created within the last few years, are all too commonly constructed with no security protocols in mind. If you have a business that relies on your website for sales, customer acquisition, inter office management or even your email systems, please take some time and have your programming audited by a security development team. Not only can this save you from many expensive problems down the road, it can help protect you in the unfortunate situation that you do experience a breach and lose data. Remember, if you are operating a business that intakes sensitive personal information like banking records, credit card numbers, etc. you can be held liable if your security measures were lacking. Don’t let this happen to you. Hope for the best, plan for the worst and protect your website.